• Advisory ID: DRUPAL-SA-CONTRIB-2017-005
• Project: (third-party module)
• Version: 7.x
• Date: 2017-January-11
• Security risk: 23/25 ( Highly Critical) AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
• Vulnerability: Arbitrary PHP code execution

Description

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc.

The Mailjet module included v5.2.8 of the PHPMailer library in its “includes” directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable to PHP code execution.

Per Drupal.org policy, 3rd party code should not be stored in drupal.org repositories.

Updating this module will require manual actions to replace the PHPMailer library as described in the README.txt file included in the release.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Mailjet 7.x-2.x versions prior 7.x-2.9.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Mailjet module for Drupal 7.x, upgrade to Mailjet7.x-2.9

Also see the project page.

Reported by

• hargobind

Fixed by

• Proxiad the module maintainer

Coordinated by

• Damien McKenna of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity